Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.
Forescout Vedere Labs, in a report published today, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025.
CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible “/developmentserver/metadatauploader” endpoint.
The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework.
Source: The hacker news
Link: https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
SonicWall has released patches to address three security flaws affecting SMA 100 Secure Mobile Access (SMA) appliances that could be fashioned to result in remote code execution.
The vulnerabilities are listed below –
- CVE-2025-32819 (CVSS score: 8.8) – A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
- CVE-2025-32820 (CVSS score: 8.3) – A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable
- CVE-2025-32821 (CVSS score: 6.7) – A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance
“An attacker with access to an SMA SSL-VPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory,” Rapid7 said in a report. “This chain results in root-level remote code execution.”
Source: The hacker news / Bleeping computer / Dark reading / Securityweek
Link: https://thehackernews.com/2025/05/sonicwall-patches-3-flaws-in-sma-100.html
Link: https://www.darkreading.com/endpoint-security/sonicwall-patch-exploit-chain-sma-devices
Link: https://www.securityweek.com/possible-zero-day-patched-in-sonicwall-sma-appliances/
Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.
The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system.
“This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system,” the company said in a Wednesday advisory. “An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.”
Source: The hacker news / Bleeping computer / Securityweek / CISCO security advisory
Link: https://thehackernews.com/2025/05/cisco-patches-cve-2025-20188-100-cvss.html
Link: https://www.securityweek.com/cisco-patches-35-vulnerabilities-across-several-products/
Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild.
The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges.
“The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed,” Google said in a Monday advisory. “User interaction is not needed for exploitation.”
It’s worth noting that CVE-2025-27363 is rooted in the FreeType open-source font rendering library. It was first disclosed by Facebook in March 2025 as having been exploited in the wild.
Source: The hacker news / Securityweek
Link: Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
Link: https://www.securityweek.com/android-update-patches-freetype-vulnerability-exploited-as-zero-day/
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States.
The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by Microsoft last month.
Play, also called Balloonfly and PlayCrypt, is known for its double extortion tactics, wherein sensitive data is exfiltrated prior to encryption in exchange for a ransom. It’s active since at least mid-2022.
In the activity observed by Symantec, the threat actors are said to have likely leveraged a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point, taking advantage of an as-yet-undetermined method to move to another Windows machine on the target network.
The attack is notable for the use of Grixba, a bespoke information stealer previously attributed to Play and an exploit for CVE-2025-29824 that’s dropped in the Music folder, giving it names that masquerade as Palo Alto Networks software (e.g., “paloaltoconfig.exe” and “paloaltoconfig.dll”).
Source: The hacker news / Bleeping computer / Dark reading
Link: https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html
Link: https://www.darkreading.com/cyberattacks-data-breaches/play-ransomware-group-windows-zero-day
State-of-the-art phishing: MFA bypass
Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies. The developers behind Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy have added features to make them easier to use and harder to detect.
WebAuthn, a passwordless MFA solution using public key cryptography, prevents password transmission and nullifies server-side authentication databases, offering a robust defense against MFA bypass attacks.
Despite its strong security benefits, WebAuthn has seen slow adoption. Cisco Talos recommends that organizations reassess their current MFA strategies in light of these evolving phishing threats.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/